On 3/22/2016 11:14 AM, Andrew Gallagher wrote:
the question most useful to a user is "given this particular signature, how much confidence should I invest in it?".
No, the question *most* users that bother to use the signature at all ask about it is, "Did it validate?"
The answer to *your* question, "How much confidence should I invest in it?" is, "Very little."
Except in certain specialized situations the only utility for a PGP signature is, "Does it show that the thing signed arrived unchanged?" You cannot reasonably place more confidence in it than that, regardless of the number of known signatures the key has.
1. You don't know if the key was in full control of the person/organization it purports to represent before, during, or after the signatures you are trusting were applied.
2. You don't know if the person in control of the key at the time the thing you care about was signed was being coerced, or not.
And as Robert pointed out, for organizational keys there is no way that you can associate control of the key with a known, trusted individual.
So trying to validate a key in the manner you described in your e-mail is at best a fool's errand. If you enjoy the work, by all means help yourself. But let's please stop pretending that signatures mean more than they really do.
Doug _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
